Security can be very controversial at times, especially when it seems that security is throwing logic out of the window. Security is sometimes applied in a scenario when logic would dictate that it’s not really needed. Is this a good or a bad thing? It’s hard to say but in my opinion there is method to the madness.
Lately we had some controversial stories about airport security. It all started when they introduced body scanners – equipment that uses low powered X-rays to see through cloths. Controversy sparked when a pilot refused a body scan and then refused to be pat down claiming that a pat down received for refusing a body scan was way too intrusive. Many people pointed out how silly this episode was, especially because if a pilot wants to bring down a plane he has no need for bombs or weapons. Logically there was no reason for enforcing the procedure in this case.
Recently another story broke out, when three-year-old Mandy Simon got nervous after her teddy bear was taken away from her and put through the X-ray machine. In her upset state she triggered the metal detector twice (most likely by repeatedly hitting the detectors) and as stated by the airport security policy she had to receive a pat down which made her cry and scream at airport security personnel to stop touching her. This story makes it really hard for anyone to side with airport security.
These two scenarios show that perhaps there should be flexibility in security, but is that even possible? Airport security personnel are not the ones setting the policy, they’re just executing it, so would it make sense to allow them to apply that policy as they see fit? Another important aspect we need to consider is the context. While a pilot doesn’t need a bomb to bring down a plane, what if the person whom the security personnel have in front of them is actually an imposter trying to exploit lax security for pilots to get through? If small children were allowed to go through without being screened, wouldn’t that send the message that using children is the way to get bombs, weapons and other forbidden items past security checks?
Obviously one always needs to weigh the risk against the cost and also introduce a bit of empathy. Having a 3 year old traumatized by such an ordeal is definitely a very bad thing that is totally inexcusable. That being said, the solution should probably come in the form of a redesign of the procedure when dealing with kids, and not allowing security personnel to forgo screening children at their discretion. What I mean is that it is the policy that requires the fixing and not the behaviour of those executing the policy. Those executing the policy are being strict because they have to be, otherwise they’d be the weak link in the implementation.
This cautionary tale applies to Information Technology as well. In an IT infrastructure, security is a middle ground between what it’s trying to achieve and the inconvenience it is creating to ensure security. While preventing a web browser from installing plug-ins is in no way comparable to distressing a three-year-old kid, the reaction we get is generally quite similar. Users will complain that there is no logical use for that policy. This happens because in most cases people will complain and get frustrated when attempting a legitimate operation which gets blocked and thus they fail to see the need for the policy. The policy however was not designed to stop the legitimate access, but to protect against when the seemingly legitimate operation becomes a security risk; for example, when installing a seemingly harmless web browser plug-in turns out to be a Trojan in disguise.
It is important to find a balance between security and convenience for it to be successful. Going either one way or the other is generally a bad idea. Don’t sacrifice security for convenience and try to avoid sacrificing convenience if it is not really necessary.